FreeRadius, Active Directory, LDAP Authorization

suggestme samanaupadhyay at
Mon Dec 5 16:05:29 CET 2011


I have installed FreeRadius server 2.1.12, installed and configured
Kerberos, Samba; configured ntlm_auth program for FreeRadius Authentication
with Active Directory. Everything is successful and running smoothly till
this stage. Now, I am in the phase of configuration of Authorization in
FreeRadius. For Authorization process I want to use LDAP database which is
already up and running in another server (not in the server where FreeRadius
is installed). The authorization should be granted in such a way that some
users should be allowed/restricted VPN, some should be allowed/restricted
wifi, etc....... I am not sure whether this is the best way to do
Authorization using LDAP or not because it is first time I am trying this in
FreeRadius. After changing the configuration as mentioned below and running
FreeRadius in debug mode, I get successful "Ready to process requests" but
while supplying user credentials I get rad_recv: *Access-Reject *packet from
host port 1812, id=60, length=20. 

What I have done so far is: I uncommented the "LDAP" in authorize section of
both files /usr/local/etc/raddb/sites-enabled/default and
/usr/local/etc/raddb/sites-enabled/inner-tunnel. I have changed the
configuration in /usr/local/etc/raddb/modules/ldap accordingly as: (Some
parts are left blank for privacy)

ldap {
server = "*My ldap server name*"
identity = "cn=     ,dc=       ,dc=        "
password = 
basedn = "dc=            ,dc=          "
 filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
 tls {
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
 edir_account_policy_check = no

In /usr/local/etc/raddb/users file:

DEFAULT         Auth-Type = ntlm_auth
bob     Cleartext-Password := "hello"

I havn't done any change in Authenticate section of both
/usr/local/etc/raddb/sites-enabled/default and
/usr/local/etc/raddb/sites-enabled/inner-tunnel files related to LDAP. I
have listed authenticate section of ntlm_auth by following 

But while following *"rlm_ldap"* doc I have seen that it is mentioned: 

LDAP and Active Directory

 *You can only use PAP, and then only if you list "ldap" in the
"authenticate" section.*

Does this mean I need to list ldap in authenticate section also. If I list
it, what about ntlm_auth that is already enabled for authentication. I am
confused with this.

Should I need to install openldap & openssl also in the machine where
freeradius is installed to make LDAP authorisation work properly?

Please suggest me whether the configuration & process I am following related
to LDAP is the good way to do or not. If not what is the best way to achieve
it. Any documentation/site/thread suggestion regarding this would be
greately appreciated. 


View this message in context:
Sent from the FreeRadius - User mailing list archive at

More information about the Freeradius-Users mailing list